A series of critical vulnerabilities in Qualcomm chipsets allow hackers to compromise Android devices remotely

0
1527

A series of critical vulnerabilities have been discovered in Qualcomm chipsets that could allow hackers to compromise Android devices remotely just by sending malicious packets over-the-air with no user interaction.

Discovered by security researchers from Tencent’s Blade team, the vulnerabilities, collectively known as QualPwn, reside in the WLAN and modem firmware of Qualcomm chipsets that powers hundreds of millions of Android smartphones and tablets.

According to researchers, there are primarily two critical vulnerabilities in Qualcomm chipsets and one in the Qualcomm’s Linux kernel driver for Android which if chained together could allow attackers to take complete control over targeted Android devices within their Wi-Fi range.

“One of the vulnerabilities allows attackers to compromise the WLAN and Modem over-the-air. The other allows attackers to compromise the Android Kernel from the WLAN chip.

The full exploit chain allows attackers to compromise the Android Kernel over-the-air in some circumstances,” researchers said in a blog post.

The vulnerabilities in question are:

  • CVE-2019-10539 (Compromising WLAN) — The first flaw is a buffer overflow issue that resides in the Qualcomm WLAN firmware due to lack of length check when parsing the extended cap IE header length.
  • CVE-2019-10540 (WLAN into Modem issue) — The second issue is also a buffer-overflow flaw that also resides in the Qualcomm WLAN firmware and affects its neighborhood area network (NAN) function due to lack of check of count value received in NAN availability attribute.
  • CVE-2019-10538 (Modem into Linux Kernel issue) — The third issue lies in Qualcomm’s Linux kernel driver for Android that can be exploited by subsequently sending malicious inputs from the Wi-Fi chipset to overwrite parts of Linux kernel running the device’s main Android operating system.

Once compromised, the kernel gives attackers full system access, including the ability to install rootkits, extract sensitive information, and perform other malicious actions, all while evading detection.

Though Tencent researchers tested their QualPwn attacks against Google Pixel 2 and Pixel 3 devices that are running on Qualcomm Snapdragon 835 and Snapdragon 845 chips, the vulnerabilities impact many other chipsets, according to an advisory published by Qualcomm.

“IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130”

Researchers discovered the QualPwn vulnerabilities in February and March this year and responsibly reported them to Qualcomm, who then released patches in June and notified OEMs, including Google and Samsung.

Google just yesterday released security patches for these vulnerabilities as part of its Android Security Bulletin for August 2019. So, you are advised to download the security patches as soon as they are available

Since Android phones are infamously slow to get patch updates, researchers have decided not to disclose complete technical details or any PoC exploit for these vulnerabilities anytime soon, giving end-users enough time to receive updates from their device manufacturers.


But wait, there’s more

Also out this week from Google are more security fixes for various parts of Android. The worst can be exploited by maliciously crafted media messages to take over a device.

Also, as for devices with Broadcom-based Bluetooth electronics: it’s possible to pwn the gizmos over the air via malicious data packets, which seems pretty bad and worthy of a story on its own.

Here’s a swift summary of the bugs:

  • CVE-2019-2120 in Android runtime “could enable a local attacker to bypass user interaction requirements in order to gain access to additional permissions.”
  • CVE-2019-2121, CVE-2019-2122, and CVE-2019-2125 in Framework, with the “most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process.”
  • CVE-2019-2126, CVE-2019-2128, CVE-2019-2127, and CVE-2019-2129 in Media Framework, with the “most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process.”
  • CVE-2019-2130 to CVE-2019-2137 in System, with “most severe vulnerability in this section could enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process.”
  • CVE-2019-11516 in Broadcom’s firmware that “could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.”

There are also a bunch of other Qualcomm bugs (CVE-2019-10492, CVE-2019-10509, CVE-2019-10510, CVE-2019-10499, CVE-2019-10489, and CVE-2019-2294) fixed in the patch batch, from secure boot holes to Bluetooth mishandling.

Again, if you’re using an officially supported Google-branded device, you should be getting these updates over the air soon if not already. If you’re not, then, well, look for updates soon from your manufacturer and/or cellular network provider, or hope they can be installed automatically via Google Play services if they are not too low level. 

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Questo sito utilizza Akismet per ridurre lo spam. Scopri come vengono elaborati i dati derivati dai commenti.